Scapy BTBB Demo 

• This demo serves as a brief scapy tutorial but more importantly, it 
illustrates the btbb layer in Scapy 

• it also demonstrates utilities and helpers provided by the library 

• if you have issues installing the btbb scapy module, please refer 
to the documentation at hackgnar.com 


library imports 

• import everything from scapy for the demo 

• import everything from the btbb Scapy module 


In [2]: from scapy.all import * 
from btbb import * 


Open btbb pcap file: 

• btbb pcap files for this demo were created with Kismet and Ubertooth 

• ■ these can also be created by other means such as USRP and Kismet, etc 


In [3]: btbb_j?caps = PcapReader( 'small.pcapbtbb' ) 


Read one packet from the pcap file: 

• btbb packet is read pcap file and instantiated as Scapy packet 


In [ 4 ]: pkt = btbb_pcaps. read_j?acket () 


Packet sample: 

• nothing special about this packet. Looks like a typical Ethernet packet 

• btbb packets are layered on top of the ethernet layer much like the wireshark btbb layout 

• when nothing is present in the btbb layer, these look exactly like ethernet packets 
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###[ Ethernet ]### 

dst = 00:00:00:00:00:00 
src = 00:00:00:ed:Id:9c 
type = OxfffO 


Interactively iterate through packets: 

• we can run the following over and over to look though packets 

In [ 6 ]: pkt = btbb_j?caps. read_j?acket () 
pkt.show() 

In [7]: pkt.summary() 

Out[7]: '00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO)' 


Conditionally iterate though btbb pcap file: 

• iterate though the pcap file 

• display summary data for all packets 

• display detailed data if a btbb payload exists 


m [8] 


for pkt in btbb_j?caps: 
print pkt.summary() 
if pkt.haslayer( 'BtbbPayload' ): 
pkt.show() 

break 


00:00:00:ed:ld:9c > 00:00:00:00:00:00 
00:00:00:ed:ld:9c > 00:00:00:00:00:00 
00:00:00:ed:ld:9c > 00:00:00:00:00:00 
00:00:00:ed:ld:9c > 00:00:00:00:00:00 
00:00:36:ed:ld:9c > 00:00:00:00:00:00 


(OxfffO) 

(OxfffO) 

(OxfffO) 

(OxfffO) 

(OxfffO) / Btbb / BtbbMeta / 


BtbbPacket / BtbbPayload 
###[ Ethernet ]### 

dst = 00:00:00:00:00:00 

src = 00:00:36:ed:Id:9c 

type = OxfffO 

###[ btbb ]### 

###[ meta ]### 

CLK = 0x7000000L 

Channel = 39L 

Padding = 0L 

known address bits= 32 (NAP unknown) 



known clock bits= 6 
###[ packet ]### 

type = DH1/2-DH1 

LT_ADDR = OxlL 
SEQN_Flag = 1L 
ARQN_Flag = OL 
FLOW_Flag = 1L 
HEC = 0xc9 

###[ payload ]### 

header_length= 3L 
header_flow= 1L 
header_LLlD= OL 
body = '\x0e\xl3\xdl' 

CRC = 0x6209L 


Packet list 

• instantiate the rest of the packets into a list of packets 


In [9]: btbb_pkt_list = btbb_pcaps.read_all() 


In [10]: print len(btbb_pkt_list) 

for item in btbb_pkt_list[: 5 ]: 
print item.summary() 


456 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket 


/ Btbb 
/ Btbb 
/ Btbb 
/ Btbb 
/ Btbb 


Write btbb pcap files: 

• we can also write btbb packets back to new pcap files if we like 


In [11]: pcapbtbb_writer = PcapWriter( 'new_pcap_file.pcapbtbb' ) 
pcapbtbb_writer.write(btbb_pkt_list) 


BtbbMeta / 
BtbbMeta / 
BtbbMeta / 
BtbbMeta / 
BtbbMeta / 


In [12]: !ls -li new_pcap_file.pcapbtbb 




j-ppcj. 


new_pc ap_file.pcapbtbb 


In [13]: new_btbb_pkts = PcapReader( "new_pcap_file.pcapbtbb" ) 
pkts = new_btbb__pkts .read_all() 
print len(pkts) 
for i in pkts[: 5 ]: 

print i.summary() 


In [14] 


412 

00:00:36ted:Id:9c > 00:00:00:00:00:00 
BtbbPacket 

00:00:36ted:Id:9c > 00:00:00:00:00:00 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 
BtbbPacket 

00:00:36ted:Id:9c > 00:00:00:00:00:00 
BtbbPacket 


new_btbb_pkts.close() 
btbb_pcaps.close() 


(OxfffO) 

(OxfffO) 

(OxfffO) 

(OxfffO) 

(OxfffO) 


/ Btbb 
/ Btbb 
/ Btbb 
/ Btbb 
/ Btbb 


Btbb Pcap File Stream: 

• Generic way to stream data from bluetooth baseband hardware 

• Relies on the fact that they have a way to write btbb pcap files 

• Allows for interactive real time packet monitoring 


In [15]: log_dir = "path/to/kismet/logs" 

latest_file = !ls -tl $log_dir | head -1 
latest_file = log_dir + '/' + latest_file[ 0 ] 
latest_file 

Out[15]: 'path/to/kismet/logs/kismet-log.pcapbtbb' 

In [16]: btbb_stream = BtbbPcapStreamer(latest_file) 

In [17]: for pkt in btbb_stream.stream (output= 1 packet 1 ): 
print pkt.summary() 

00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 
00:00:36:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) / Btbb 


BtbbMeta / 
BtbbMeta / 
BtbbMeta / 
BtbbMeta / 
BtbbMeta / 


BtbbMeta / 







BtctPacKet / BtJDJDPayioaci 

00:00:36ted:Id:9c > 00:00:00:00:00:00 

BtbbPacket 

00:00:36ted:Id:9c > 00:00:00:00:00:00 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 
BtbbPacket 

00:00:36ted:Id:9c > 00:00:00:00:00:00 
BtbbPacket 

00:00:36:ed:ld:9c > 00:00:00:00:00:00 
BtbbPacket 


(OxfffO) 

(OxfffO) 

(OxfffO) 

(OxfffO) 

(OxfffO) 

(OxfffO) 


/ Btbb / 
/ Btbb / 
/ Btbb / 
/ Btbb / 
/ Btbb / 
/ Btbb / 


In [20]: btbb_stream.close() 


Btbb layer helper methods 

• a sample of some of the helper methods provided by soapy btbb 

• lets open a new pcap file, read in the packets and define some vars first 


In [22]: manuf_file= 'path/to/wireshark/manuf' 

!wc -1 $manuf_file 

20805 path/to/wireshark/manuf 

In [23]: btbb_j?caps = PcapReader( 'small.pcapbtbb' ) 
pkts = btbb_pcaps.read_all() 


In [24]: for i in range (10): 

print i , pkts[i].summary() 


0 00:00:00ted:Id:9c > 00:00:00:00:00:00 (OxfffO) 

1 00:00:00:ed:Id:9c > 00:00:00:00:00:00 (OxfffO) 

2 00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 

3 00:00:00ted:Id:9c > 00:00:00:00:00:00 (OxfffO) 

4 00:00:00:ed:ld:9c > 00:00:00:00:00:00 (OxfffO) 

5 00:00:00 ted:Id:9c > 00:00:00:00:00:00 (OxfffO) 

6 00:00:36ted:Id:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket / BtbbPayload 

7 00:00:36:ed:Id:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket 

8 00:00:36 ted:Id:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket 

9 00:00:36ted:Id:9c > 00:00:00:00:00:00 (OxfffO) 
BtbbPacket 


/ Btbb 
/ Btbb 
/ Btbb 
/ Btbb 


BtbbMeta / 
BtbbMeta / 
BtbbMeta / 
BtbbMeta / 
BtbbMeta / 
BtbbMeta / 


/ BtbbMeta / 
/ BtbbMeta / 
/ BtbbMeta / 
/ BtbbMeta / 




Vendor lookup: 


• can lookup vendor based on a bluetooth address 

• can lookup vendor based on packet 

• vendor determination is more accurate when both nap and uap are known 

• when only a uap is know, a list of possible vendors and associated nap is returned 

• if your wireshark manuf file is not in a default location you must specify as seen below 


In [25]: get_vendor( 1 00:11:36:ed:Id:9c 1 , manuf_file=manuf_file) 

Out[25]: [('00:11:36', 'Goodrich')] 

In [26]: possible_vendors = get_vendor(pkts[ 6 ],manuf_file=manuf_file) 


In [27]: len(possible_vendors) 
Out[27]: 60 


In [28]: possible_vendors[: 10 ] 


Out[28]: 


[('00:00:36', 
('00:01:36' , 
('00:02:36', 
('00:03:36', 
('00:04:36', 
('00:05:36', 
('00:06:36', 
('00:07:36' , 
('00:09:36', 
('00:0A:36', 


'Atari'), 

'Cybertan'), 
'Init'), 

'ZetesTec'), 
'ElansatT'), 
'DanamCom'), 
'JedaiBro'), 
'DataVide'), 
'Ipetroni'), 
'SynelecT')] 


Distinct bluetooth address lookup: 

• distinct bluetooth addresses can be looked up 

• useful for quickly determining what devices are in a list of packets 

• useful for passing to other tools/modules for analysis, exploitation, etc 


In [29]: bt_addrs = get_btaddress(*pkts) 
bt_addrs 

Out[29]: ['00:00:00:c3:ec:46', 

'00:00:00:db:cl:fa', 

'00:00:36:ed:ld:9c', 

'00:00:d2:59:84:d9', 
'00:00:00:ff:c4:ab'] 



example of sending btaddr info to the pybluez bluetooth name lookup method 


In [ ]: import bluetooth 

for addr in bt_addrs: 

print bluetooth.lookup_name(addr) 



